Applies To:

BIG-IP ASM

Adding JSON Support to an Existing Security Policy

Overview: Adding JSON support to existing security policies

JSON (JavaScript® Object Notation) is a data-interchange format often used
to pass data back and forth between an application and a server. This implementation describes
how to add JSON support to an existing security policy for an application that uses JSON for data
transfer. You create a JSON profile to define what the security policy enforces and considers
legal when it detects traffic that contains JSON data.

You add JSON support to a security policy by completing these tasks.

Task Summary

Creating a JSON profile

Before you can complete this task, you need to have already created a security
policy for your application.

This task describes how to create a JSON profile that defines the properties that
the security policy enforces for an application sending JSON payloads.

Adjust the maximum values that define the JSON data for the AJAX application,
or use the default values.

In the Attack Signatures tab, in the Global Security Policy
Settings list, select any specific attack signatures that you
want to enable or disable for this profile, and then move them into the
Overridden Security Policy Settings list.

Tip: If no attack signatures are listed in the Global
Security Policy Settings list, create the profile, update
the attack signatures, then edit the profile.

Once you have moved any applicable attack signatures to the
Overridden Security Policy Settings list, enable or
disable each of them as needed:

Option

Description

Enabled

Enforces the attack signature for this JSON profile, although the
signature might be disabled in general. The system reports the violation
Attack Signature Detected when the JSON in a request
matches the attack signature.

Disabled

Disables the attack signature for this JSON profile, although the
signature might be enabled in general.

In the Element Name field, type the JSON element
whose values you want the system to consider sensitive.

Click Add.

Important: If the JSON data causes violations and the system stops
parsing the data part way through a transaction, the system masks only the
sensitive data that was fully parsed.

Add any other elements that could contain sensitive data that you want to
mask.

Click Create.

The system creates the profile and displays it in the JSON Profiles
list.

This creates a JSON profile which does not affect the security policy until you
associate the profile with a URL or parameter.

Next, you need to associate the JSON profile with any URLs or parameters that might
include JSON data.

Associating a JSON profile with a URL

Before you can associate a JSON profile with a URL, you need to have created a
security policy with policy elements including application URLs, and the JSON
profile.

You can associate a JSON profile with one or more explicit or wildcard URLs.

On the Main tab, click Security > Application Security > URLs.

In the Current edited policy list near the top of the screen,
verify that the edited security policy is the one you want to work on.

From the Allowed URLs List, click the name of a URL that might contain JSON
data.

The Allowed URL Properties screen opens.

Next to Allowed URL Properties, select
Advanced.

The screen refreshes to display additional configuration
options.

For the Header-Based Content Profiles setting, in the
Request Header Name field, type the explicit string
or header name that defines when the request is treated as the Parsed
As type; for example, content-type.

This field is not case sensitive.

Note: If the URL always contains JSON data, just change the default
header-based content profile to be Parsed AsJSON, then you do not have to specify the header name
and value here.

For the Header-Based Content Profiles setting, in the
Request Header Value field, type the wildcard
(including *, ?, or [chars]) for the header value that must be matched in the
Request Header Name field; for example,
*json*.

This field is case sensitive.

From the Parsed As list, select
JSON.

From the Profile Name list, either select the JSON
profile appropriate for this URL, or click Create to
quickly add a new profile to the configuration.

Click Add.

Add as many header types as you need to secure this URL, clicking
Add after specifying each one.

To override the global meta character settings for this URL, adjust the meta
character policy settings:

In the Meta Characters tab, select the Check characters on
this URL check box, if it is not already selected.

Move any meta characters that you want allow or disallow from the
Global Security Policy Settings list into the
Overridden Security Policy Settings
list.

In the Overridden Security Policy Settings list,
change the meta character state to Allow or
Disallow.

Continue to associate JSON profiles with any parameters in the application that
might contain JSON data.

Implementation result

You have manually added JSON support to the active security policy. The policy can now secure applications that use JSON for data transfer between the client and the server. If web application traffic includes JSON data, the system checks that it meets the requirements that you specified in the JSON profile.